Migration

This document explains how to configure Container Linux components to use secure HTTPS connections to an etcd cluster. The target etcd cluster must already be using HTTPS for its own communications, as explained in the etcd HTTP to HTTPS migration guide.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.flannel:etcd_endpoints:"https://172.16.0.101:2379,https://172.16.0.102:2379,https://172.16.0.103:2379"etcd_cafile:/etc/ssl/etcd/ca.pemetcd_certfile:/etc/ssl/etcd/client.pemetcd_keyfile:/etc/ssl/etcd/client-key.pem

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

If you're going to use a directory other than /etc/ssl/etcd to store etcd client certificates, you will need to update flanneld.service with your custom folder. This is because flanneld.service is running as a container.

Suppose you're using /etc/etcd/ssl instead, you will need to adjust the flanneld.service drop in to set an updated ETCD_SSL_DIR environmental variable.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.flannel:etcd_endpoints:"https://172.16.0.101:2379,https://172.16.0.102:2379,https://172.16.0.103:2379"etcd_cafile:/etc/ssl/etcd/ca.pemetcd_certfile:/etc/ssl/etcd/client.pemetcd_keyfile:/etc/ssl/etcd/client-key.pemsystemd:units:-name:flanneld.servicedropins:-name:50-network-config.confcontents:|Environment="ETCD_SSL_DIR=/etc/etcd/ssl"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

Configure fleet to use secure etcd connection

Due to the deprecation of fleet, Container Linux Configs don't have a convenient syntax for configuring fleet like for flannel. Fleet can still be easily configured however with the use of a systemd drop-in.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.systemd:units:-name:fleet.servicedropins:-name:20-fleet-config.confcontents:|[Service]Environment="FLEET_ETCD_CAFILE=/etc/ssl/etcd/ca.pem"Environment="FLEET_ETCD_CERTFILE=/etc/ssl/etcd/client.pem"Environment="FLEET_ETCD_KEYFILE=/etc/ssl/etcd/client-key.pem"Environment="FLEET_ETCD_SERVERS=https://172.16.0.101:2379,https://172.16.0.102:2379,https://172.16.0.103:2379"Environment="FLEET_METADATA=hostname=server1"Environment="FLEET_PUBLIC_IP=172.16.0.101"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

Configure Locksmith to use secure etcd connection

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.systemd:units:-name:locksmithd.servicedropins:-name:20-locksmithd-config.confcontents:|[Service]Environment="LOCKSMITHD_ETCD_CAFILE=/etc/ssl/etcd/ca.pem"Environment="LOCKSMITHD_ETCD_CERTFILE=/etc/ssl/etcd/client.pem"Environment="LOCKSMITHD_ETCD_KEYFILE=/etc/ssl/etcd/client-key.pem"Environment="LOCKSMITHD_ENDPOINT=https://172.16.0.101:2379,https://172.16.0.102:2379,https://172.16.0.103:2379"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

Remove legacy etcd ports configuration

Once all etcd clients are configured to use secure ports, the insecure legacy configuration can be disabled. If you've followed the etcd Live HTTP to HTTPS migration guide, it is now necessary to edit /etc/systemd/system/etcd2.service.d/40-tls.conf to remove the value http://127.0.0.1:4001 from the ETCD_LISTEN_CLIENT_URLS environment variable. The edited 40-tls.conf should end up looking like: